Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

42.
Important Note• This Step is to performed at the Server Side.• Why?• Because you need to use your Client ID and Client Secret along side the Authorization Code you just received to gain an Access Code• Access Code is required to gain access to protected resources

49.
Understanding the URL• client_id – The ID of the Client App• redirect_uri – Where to go back after OAuth• scope – Permissions allowed by User• state – Something to pass back to redirect_uri• response_type = “code” means authorization code• access_type = “offline” to get access to the “refresh_token”

74.
Use Cases• Strong Trust between Resource Owner and Client e.g Operating System or Privileged App• Client is not supposed to store the Credentials but only the Access token and Refresh Token if provided• Example – Salesforce OAuth has provision for this

77.
Use case• The Data accessed is not owned by Resource Owner, but by the Client• Say Skype showing statistics of uptime of its services

78.
Use case• There is contract already set between the Client and the Authorization Server• E.g Google Apps Marketspace• An App installed on Google Apps requires permission to everyone’s calendar in that domain. This permission is provided by the admin and not the end user.

81.
Disclaimer• Following slides are extracted from http://www.slideshare.net/briandavidcampbe ll/is-that-a-token-in-your-phone-in-your- pocket-or-are-you-just-glad-to-see-me-oauth- 20-and-mobile-devices• I have no claim on the following slides with reference stated in them• Thank you Brian Campbell for the excellent presentation

92.
Pros and Cons• Pros • Cons – Easier to monitor pages – May not appeal since and extract neither https or domain authorization or access name is visible codes – WebView has separate cookie and history leading to client entering credentials each time

105.
OpenID Connect• Why it came into Picture? – Both OpenID and OAuth rely on redirection to allow client to grant permissions – Protocol Flow is similar – redirection & verification – Passing Permissions to Gain Authentication (Identity Information) is same as Passing Permission to Gain authority to some APIs